CVE-2025-62662
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-21
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_wikimedia_foundation | mediawiki-advancedsearch_extension | * |
| the_wikimedia_foundation | mediawiki | 1.45.0-alpha |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62662 is a stored Cross-Site Scripting (XSS) vulnerability in the AdvancedSearch extension of MediaWiki. It occurs because multiple system messages are inserted directly as HTML without proper escaping. These messages, retrieved using the mw.msg function, are stored in a variable and then embedded into the page as HTML, allowing malicious scripts to execute if crafted payloads are present. This vulnerability was fixed by escaping these messages before insertion. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject and execute malicious scripts in the context of the affected MediaWiki site. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement of the website, or distribution of malware to users visiting the site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the XSS behavior in the AdvancedSearch extension of MediaWiki. Specifically, enable the AdvancedSearch extension, set the configuration variable $wgUseXssLanguage to true, and visit the URL /w/index.php?search=test&uselang=x-xss on your MediaWiki instance. If multiple alert pop-ups appear corresponding to various AdvancedSearch system messages, this indicates the presence of the stored XSS vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch that escapes system messages before embedding them in HTML, as released by the Wikimedia security team. This patch fixes the stored XSS vulnerability with a minimal code change and has been deployed across multiple branches. If patching immediately is not possible, consider disabling the AdvancedSearch extension or setting $wgUseXssLanguage to false to prevent triggering the vulnerability until the patch can be applied. [1]